How to Use Bitcoin to Incentivize Correct Computations

We study a model of incentivizing correct computations in a variety of cryptographic tasks. For each of these tasks we propose a formal model and design protocols satisfying our model's constraints in a hybrid model where parties have access to special ideal functionalities that enable monetary transactions. We summarize our results: Verifiable computation. We consider a setting where a delegator outsources computation to a worker who expects to get paid in return for delivering correct outputs. We design protocols that compile both public and private verification schemes to support incentivizations described above. Secure computation with restricted leakage. Building on the recent work of Huang et al. (Security and Privacy 2012), we show an efficient secure computation protocol that monetarily penalizes an adversary that attempts to learn one bit of information but gets detected in the process. Fair secure computation. Inspired by recent work, we consider a model of secure computation where a party that aborts after learning the output is monetarily penalized. We then propose an ideal transaction functionality FML and show a constant-round realization on the Bitcoin network. Then, in the FML-hybrid world we design a constant round protocol for secure computation in this model. Noninteractive bounties. We provide formal definitions and candidate realizations of noninteractive bounty mechanisms on the Bitcoin network which (1) allow a bounty maker to place a bounty for the solution of a hard problem by sending a single message, and (2) allow a bounty collector (unknown at the time of bounty creation) with the solution to claim the bounty, while (3) ensuring that the bounty maker can learn the solution whenever its bounty is collected, and (4) preventing malicious eavesdropping parties from both claiming the bounty as well as learning the solution. All our protocol realizations (except those realizing fair secure computation) rely on a special ideal functionality that is not currently supported in Bitcoin due to limitations imposed on Bitcoin scripts. Motivated by this, we propose validation complexity of a protocol, a formal complexity measure that captures the amount of computational effort required to validate Bitcoin transactions required to implement it in Bitcoin. Our protocols are also designed to take advantage of optimistic scenarios where participating parties behave honestly.

[1]  Andrew Chi-Chih Yao,et al.  How to Generate and Exchange Secrets (Extended Abstract) , 1986, FOCS.

[2]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[3]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[4]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[5]  Philippe Golle,et al.  Uncheatable Distributed Computations , 2001, CT-RSA.

[6]  Oded Goldreich Foundations of Cryptography: Index , 2001 .

[7]  E. Friedman,et al.  The Social Cost of Cheap Pseudonyms , 2001 .

[8]  Leslie Lamport,et al.  Fast Paxos , 2006, Distributed Computing.

[9]  Matthew K. Franklin,et al.  Efficiency Tradeoffs for Malicious Two-Party Computation , 2006, Public Key Cryptography.

[10]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[11]  Yehuda Lindell,et al.  A Proof of Security of Yao’s Protocol for Two-Party Computation , 2009, Journal of Cryptology.

[12]  Alptekin Küpçü,et al.  Incentivizing outsourced computation , 2008, NetEcon '08.

[13]  Adam D. Smith,et al.  Efficient Two Party and Multi Party Computation Against Covert Adversaries , 2008, EUROCRYPT.

[14]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, Journal of Cryptology.

[15]  Craig Gentry,et al.  Non-interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers , 2010, CRYPTO.

[16]  Abhi Shelat,et al.  Optimistic Concurrent Zero Knowledge , 2010, ASIACRYPT.

[17]  Jonathan Katz,et al.  Quid-Pro-Quo-tocols: Strengthening Semi-honest Protocols with Dual Execution , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Elaine Shi,et al.  Bitter to Better - How to Make Bitcoin a Better Currency , 2012, Financial Cryptography.

[19]  Gilad Asharov,et al.  Calling out Cheaters: Covert Security With Public Verifiability , 2012, IACR Cryptol. ePrint Arch..

[20]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[21]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Hugo Krawczyk,et al.  Outsourced symmetric private information retrieval , 2013, IACR Cryptol. ePrint Arch..

[23]  Brent Waters,et al.  Witness encryption and its applications , 2013, STOC '13.

[24]  Yael Tauman Kalai,et al.  How to Run Turing Machines on Encrypted Data , 2013, CRYPTO.

[25]  Yehuda Lindell,et al.  Fair and Efficient Secure Multiparty Computation with Reputation Systems , 2013, IACR Cryptol. ePrint Arch..

[26]  Hugo Krawczyk,et al.  Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries , 2013, IACR Cryptol. ePrint Arch..

[27]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[28]  Angelos D. Keromytis,et al.  Blind Seer: A Scalable Private DBMS , 2014, 2014 IEEE Symposium on Security and Privacy.

[29]  Marcin Andrychowicz,et al.  Secure Multiparty Computations on Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[30]  Marcin Andrychowicz,et al.  Fair Two-Party Computations via Bitcoin Deposits , 2014, Financial Cryptography Workshops.

[31]  Iddo Bentov,et al.  How to Use Bitcoin to Design Fair Protocols , 2014, CRYPTO.